A Practical Approach for Generic Bootkit Detection and Prevention Bernhard Grill, Christian Platzer, Jürgen Eckel Vienna University of Technology, IKARUS Security Software GmbH [email protected]

[EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Embed Size (px)


Slides for my talk at EuroSec 2014 in Amsterdam on our paper "A Practical Approach for Generic Bootkit Detection and Prevention". For details on the paper or me checkout http://www.iseclab.org/people/bgrill/

Citation preview

Page 1: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

A Practical Approach for Generic Bootkit Detection and Prevention

Bernhard Grill, Christian Platzer, Jürgen EckelVienna University of Technology, IKARUS Security

Software GmbH

[email protected]

Page 2: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

About This Talk

● Master student at the Secure Systems Lab @ Vienna University of Technology → http://www.iseclab.org/people/bgrill/

● Still ongoing research → preliminary results

● Feedback / improvement ideas / discussion is very welcome! :)

Page 3: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


● Background (Objectives, Boot Process, Bootkits)

● System Overview & Detection Heuristics

● Implementation

● Preliminary Evaluation

● Limitations & Evasion Techniques

● Future Work & Open Questions

Page 4: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Background- Objectives- Boot Process- Bootkits

Page 5: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


● Develop system to detect and prevent bootkit attacks

● Integrate with existing security measures like DEP, ASLR, AV, IDS,…

● Capable of detecting 0-days

Page 6: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Boot Process Overview

boot process overview on BIOS / MBR based systems

Page 7: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


● “Bootkit” is a combination of the terms “boot” and “rootkit”

● Bootkits are a very aggressive kind of malware deeply infecting the system

● Bootkits interfere with the boot process to gain control before the kernel starts (and is able to protect itself)

● Target is to infect the kernel and gain kernel-level privileges

Page 8: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Bootkit Behavior

boot process with infected bootloader (BL)

Page 9: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

System Overview & Used Detection Heuristics

Page 10: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

System Overview

● System consists of two major components (driver, detection engine)

● Driver triggers detection engine on write requests to hard disk areas containing boot code or data

● Engine emulates and monitors the system boot process during normal system operation

Page 11: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

System Overview

Page 12: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Used Detection Heuristics

1) Disk access heur: bootkits store config & code at the end of the hard disk → we define loading content from the disk's end during boot process as malicious

2) Self-modifying code heur: self-modifying code is prohibited

3) Decryption routine heur: loops with large iteration counts performing certain instructions are prohibited

4) Hook heur: Modifying the interrupt vector table (IVT) during boot process is forbidden. To the best of our knowledge, this step is mandatory for bootkits.

Page 13: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


Page 14: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


● Implemented the system for Windows

● Kernel-level driver + user-land detection engine based on a custom system emulator

● Whitelisting for benign boot processes to avoid false-positives

Page 15: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


● System partially implemented

• Driver PoC

• Necessary emulator adoptions finished

• Finished heuristics: decryption loop heur, disk read access heur, hooking heur

• Todo: self modifying code heur, recovery module

Page 16: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Preliminary Evaluation- Driver Performance Evaluation- Engine Evaluation

- Decryption Loop Filter- Disk Read Request Filter

Page 17: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Driver Performance Evaluation

Page 18: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Engine Evaluation

● Leaked Carberp bootkit was used for first evaluation

● Let's check the results of the implemented heuristics

– Decryption loop filter

– Disk read access filter

Page 19: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

decryption loop heuristic output

Engine Evaluation

Page 20: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

disk read request heuristic output

Engine Evaluation

Page 21: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Limitations & Evasion Techniques

Page 22: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


● No UEFI support -> fundamentally different from BIOS/MBR boot process

● No GPT (GUID Partition Table) support yet -> will be included later

● BIOS- and Hive-based bootkits not detected (but they are very rare)

Page 23: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Evasion Techniques

● Driver / engine detection by full disk search (before infection)

● Driver / engine removal (assuming sufficient permissions & system restart) → self protection

● Environment detection during emulation (CPU, HDD model,…)

● Instruction counter exhausting (due to limited amount of emulated instructions) → emulate until kernel starts

Page 24: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Evasion Techniques on Heuristics

● Disk read access heur: store bootkits‘ code and data in unsuspicious areas, e.g. not at hdd‘s end (risky, due to accidential overwrites by OS)

● Self-modifying code & decryption loop heur: refrain from using such code -> prone to pattern-based detection

● Interrupt hook filter: to the best of our knowledge, every bootkit performs interrupt hooking to regain control after executing original code -> conjecture part of future work

Page 25: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Future Work & Open Questions

Page 26: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Future Work

● Implement missing parts

● Perform larger evaluation with different malware families

● Check whether every bootkit relies on interrupt hooking

● Check whether benign boot processes trigger false positives -> if not, remove white-listing

Page 27: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


● Developed bootkit detection & prevention engine

● Based on boot process emulation and virtual machine introspection (VMI) to separate benign form malicious boot processes

● Prepared a demo if you're interested

Page 28: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention

Open Questions

● How to detect self-modifying code in x86? No, checking w+x on memory is not sufficient :)

Page 29: [EuroSec 2014] A Practical Approach for Generic Bootkit Detection and Prevention


[email protected]